An observation about client certificates

[solderpunk]

Haha, this was me!  In order to get a 1.0.0 release of AV-98 out the
door and into PyPI quickly so that there's an easy to install client for
curious newcomers, I spent some time yesterday hacking away on client
certificate support.  Mozz added some basic support a few weeks back to
facilitate the astrobotany game, but I am working on something slightly
more user-friendly.  As long as the `openssl` command line tool is
installed, it will soon be possible to generate certs from within AV-98
in response to status codes wanting them.  Once you navigate to a
different domain other than the one for which the cert was generated,
you'll get a privacy warning and the option to stop using that cert.
It's certainly still rough around the edges, but it's usable enough and
will facilitate more experimentation on the server side with client
certificates.  I'll post lots more about this work here in the near
future.

Anyway, at some point yesterday I got tired of filling out `openssl`s
prompts when making new certs and just gave blank answers to everything,
which would be the requests you noticed.  Are you quite sure that your
server handled them just fine as the logs indicate?  If I remember
rightly the SSL handshake seemed to fail when I did this so I quickly
reverted to putting something non-zero in there.

We should talk about logging formats some time.  Molly Brown keeps logs
too (I keep meaning to make a nice graph showing the wave of traffice
that came in after we hit HN), in an ad-hoc format that doesn't match
yours below at all (unsurprisingly).  Having a standard format would
facilitate tools to monitor/visualise logs.

Cheers,
Solderpunk

On Sun, May 10, 2020 at 08:18:21PM -0400, Sean Conner wrote:
> 
>   I know logging isn't popular here, but I still do it anyway, in order to
> track down issues that might come up, either bugs in the server.  Early on,
> I decided also log certificates that might be used to hit the "/private"
> directory on my server.  I'm seeing a bit more activity there, which is
> nice, the latest one being:
> 
> remote=---.---.---.--- status=20 request="gemini://gemini.conman.org/private/" bytes=213 subject="/CN=AV-98 cert test" issuer="/CN=AV-98 cert test"
> 
>   But the following requests had me seriously puzzled:
> 
> remote=---.---.---.--- status=20 request="gemini://gemini.conman.org/private/" bytes=213 subject="" issuer=""
> remote=---.---.---.--- status=20 request="gemini://gemini.conman.org/private/mondrian.gif" bytes=3082 subject="" issuer=""
> 
>   After quite a bit of testing and thinking on this, I can only conclude
> that whomever sent this request did have a certificate, but the certificate
> did not include the issuer or subject fields.  As I stated, I accept any
> certificate (as long as the dates are valid).  I did not expect a
> certificate sans issuer/subject could be valid as well.  Perhaps it's not, I
> don't actually know, but kudos to the requestor.  I was not expecting this.
> 
>   -spc
> 
>